2db032cc5094301f6d8cec29704880c595a19cbaae211e64e364e3217afa3ebe

max time kernel146s
max time network147s
platformwindows7_x64
resourcewin7v20201028
submitted07-04-2021 13:08

Report
Files
Registry
Network
Processes
Mutex
Misc

Target

2db032cc5094301f6d8cec29704880c595a19cbaae211e64e364e3217afa3ebe.exe

Filesize

572KB

Completed

07-04-2021 13:11

Score

10^/10

MD5

c882de666f59cdeff7c0f5611d18fa3f

SHA1

2cd4c99affc6aaeae73c0899a77b18d66c9ff2fb

SHA256

2db032cc5094301f6d8cec29704880c595a19cbaae211e64e364e3217afa3ebe

Extracted

Family	emotet
Botnet	Epoch2
C2	212.186.191.177:80 91.242.138.5:80 173.13.135.102:80 59.110.18.236:443 45.56.88.91:443 51.68.220.244:8080 206.81.10.215:8080 80.11.163.139:21 182.176.132.213:8090 165.227.156.155:443 118.201.230.249:80 138.201.140.110:8080 46.105.131.87:80 87.106.139.101:8080 24.45.193.161:7080 209.97.168.52:8080 190.12.119.180:443 190.147.215.53:22 191.92.209.110:7080 91.205.215.66:8080 190.211.207.11:443 186.75.241.230:80 173.212.203.26:8080 67.225.179.64:8080 31.12.67.62:7080 128.65.154.183:443 189.209.217.49:80 107.2.2.28:80 167.99.105.223:7080 12.229.155.122:80 104.236.246.93:8080 178.209.71.63:8080 212.129.24.79:8080 95.128.43.213:8080 178.210.51.222:8080 5.88.182.250:80 91.231.166.126:8080 176.31.200.130:8080 192.81.213.192:8080 103.39.131.88:80 164.68.101.171:80 201.184.105.242:443 213.179.105.214:8080 149.202.153.252:8080 47.50.251.130:80 93.147.141.5:80 37.157.194.134:443 181.57.193.14:80 45.33.49.124:443 192.241.255.77:8080 62.75.187.192:8080 31.31.77.83:443 181.143.194.138:443 144.139.247.220:80 181.31.213.158:8080 183.102.238.69:465 206.189.112.148:8080 165.228.24.197:80 59.103.164.174:80 83.136.245.190:8080 107.170.24.125:8080 50.116.86.205:8080 197.254.221.174:80 190.108.228.48:990 104.131.11.150:8080 200.71.148.138:8080 120.150.246.241:80 217.160.182.191:8080 159.65.25.128:8080 167.114.242.226:8080 190.226.44.20:21 92.222.216.44:8080 85.104.59.244:20 101.187.247.29:80 169.239.182.217:8080 104.131.44.150:8080 192.241.220.155:8080 91.73.197.90:80 190.145.67.134:8090 116.48.142.21:443 5.196.74.210:8080 87.230.19.21:8080 211.63.71.72:8080 167.71.10.37:8080 195.244.215.206:80 190.53.135.159:21 80.21.182.46:80 78.24.219.147:8080 31.172.240.91:8080 87.106.136.232:8080 212.186.191.177:80 91.242.138.5:80 173.13.135.102:80 59.110.18.236:443 45.56.88.91:443 51.68.220.244:8080 206.81.10.215:8080 80.11.163.139:21 182.176.132.213:8090 165.227.156.155:443 118.201.230.249:80 138.201.140.110:8080 46.105.131.87:80 87.106.139.101:8080 24.45.193.161:7080 209.97.168.52:8080 190.12.119.180:443 190.147.215.53:22 191.92.209.110:7080 91.205.215.66:8080 190.211.207.11:443 186.75.241.230:80 173.212.203.26:8080 67.225.179.64:8080 31.12.67.62:7080 128.65.154.183:443 189.209.217.49:80 107.2.2.28:80 167.99.105.223:7080 12.229.155.122:80 104.236.246.93:8080 178.209.71.63:8080 212.129.24.79:8080 95.128.43.213:8080 178.210.51.222:8080 5.88.182.250:80 91.231.166.126:8080 176.31.200.130:8080 192.81.213.192:8080 103.39.131.88:80 164.68.101.171:80 201.184.105.242:443 213.179.105.214:8080 149.202.153.252:8080 47.50.251.130:80 93.147.141.5:80 37.157.194.134:443 181.57.193.14:80 45.33.49.124:443 192.241.255.77:8080 62.75.187.192:8080 31.31.77.83:443 181.143.194.138:443 144.139.247.220:80 181.31.213.158:8080 183.102.238.69:465 206.189.112.148:8080 165.228.24.197:80 59.103.164.174:80 83.136.245.190:8080 107.170.24.125:8080 50.116.86.205:8080 197.254.221.174:80 190.108.228.48:990 104.131.11.150:8080 200.71.148.138:8080 120.150.246.241:80 217.160.182.191:8080 159.65.25.128:8080 167.114.242.226:8080 190.226.44.20:21 92.222.216.44:8080 85.104.59.244:20 101.187.247.29:80 169.239.182.217:8080 104.131.44.150:8080 192.241.220.155:8080 91.73.197.90:80 190.145.67.134:8090 116.48.142.21:443 5.196.74.210:8080 87.230.19.21:8080 211.63.71.72:8080 167.71.10.37:8080 195.244.215.206:80 190.53.135.159:21 80.21.182.46:80 78.24.219.147:8080 31.172.240.91:8080 87.106.136.232:8080
rsa_pubkey.plain

Discovery

Emotet

Description

Emotet is a trojan that is primarily spread through spam emails.

Tags

trojan banker emotet

Drops file in System32 directory

wraphant.exe

Reported IOCs

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	wraphant.exe

Enumerates physical storage devices

Description

Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

TTPs

System Information Discovery

Modifies data under HKEY_USERS

wraphant.exe

Reported IOCs

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C88B0D75-95D7-40B2-89BD-4A3AD4DC11FD}\WpadDecisionTime = 50cc57fcaf2bd701	wraphant.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	wraphant.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	wraphant.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	wraphant.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a07004f000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	wraphant.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecision = "0"	wraphant.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a07004f000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	wraphant.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	wraphant.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	wraphant.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77	wraphant.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C88B0D75-95D7-40B2-89BD-4A3AD4DC11FD}\32-e2-17-db-d2-77	wraphant.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C88B0D75-95D7-40B2-89BD-4A3AD4DC11FD}\WpadNetworkName = "Network"	wraphant.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecisionReason = "1"	wraphant.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecisionTime = 10d741c0af2bd701	wraphant.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	wraphant.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	wraphant.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C88B0D75-95D7-40B2-89BD-4A3AD4DC11FD}	wraphant.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C88B0D75-95D7-40B2-89BD-4A3AD4DC11FD}\WpadDecision = "0"	wraphant.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C88B0D75-95D7-40B2-89BD-4A3AD4DC11FD}\WpadDecisionTime = 10d741c0af2bd701	wraphant.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDetectedUrl	wraphant.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecisionTime = 50cc57fcaf2bd701	wraphant.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	wraphant.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	wraphant.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	wraphant.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C88B0D75-95D7-40B2-89BD-4A3AD4DC11FD}\WpadDecisionReason = "1"	wraphant.exe

Suspicious behavior: EmotetMutantsSpam
2db032cc5094301f6d8cec29704880c595a19cbaae211e64e364e3217afa3ebe.exewraphant.exe

Reported IOCs

pid process

1888 2db032cc5094301f6d8cec29704880c595a19cbaae211e64e364e3217afa3ebe.exe
876 wraphant.exe
Suspicious behavior: EnumeratesProcesses
wraphant.exe

Reported IOCs

pid process

876 wraphant.exe
876 wraphant.exe
876 wraphant.exe
876 wraphant.exe
Suspicious behavior: RenamesItself
2db032cc5094301f6d8cec29704880c595a19cbaae211e64e364e3217afa3ebe.exe

Reported IOCs

pid process

1888 2db032cc5094301f6d8cec29704880c595a19cbaae211e64e364e3217afa3ebe.exe

pid	process
1888	2db032cc5094301f6d8cec29704880c595a19cbaae211e64e364e3217afa3ebe.exe
876	wraphant.exe

pid	process
876	wraphant.exe
876	wraphant.exe
876	wraphant.exe
876	wraphant.exe

pid	process
1888	2db032cc5094301f6d8cec29704880c595a19cbaae211e64e364e3217afa3ebe.exe

Suspicious use of SetWindowsHookEx

2db032cc5094301f6d8cec29704880c595a19cbaae211e64e364e3217afa3ebe.exe2db032cc5094301f6d8cec29704880c595a19cbaae211e64e364e3217afa3ebe.exewraphant.exewraphant.exe

Reported IOCs

pid	process
1724	2db032cc5094301f6d8cec29704880c595a19cbaae211e64e364e3217afa3ebe.exe
1888	2db032cc5094301f6d8cec29704880c595a19cbaae211e64e364e3217afa3ebe.exe
1064	wraphant.exe
876	wraphant.exe

Suspicious use of WriteProcessMemory

2db032cc5094301f6d8cec29704880c595a19cbaae211e64e364e3217afa3ebe.exewraphant.exe

Reported IOCs

description	pid	process	target process
PID 1724 wrote to memory of 1888	1724	2db032cc5094301f6d8cec29704880c595a19cbaae211e64e364e3217afa3ebe.exe	2db032cc5094301f6d8cec29704880c595a19cbaae211e64e364e3217afa3ebe.exe
PID 1724 wrote to memory of 1888	1724	2db032cc5094301f6d8cec29704880c595a19cbaae211e64e364e3217afa3ebe.exe	2db032cc5094301f6d8cec29704880c595a19cbaae211e64e364e3217afa3ebe.exe
PID 1724 wrote to memory of 1888	1724	2db032cc5094301f6d8cec29704880c595a19cbaae211e64e364e3217afa3ebe.exe	2db032cc5094301f6d8cec29704880c595a19cbaae211e64e364e3217afa3ebe.exe
PID 1724 wrote to memory of 1888	1724	2db032cc5094301f6d8cec29704880c595a19cbaae211e64e364e3217afa3ebe.exe	2db032cc5094301f6d8cec29704880c595a19cbaae211e64e364e3217afa3ebe.exe
PID 1064 wrote to memory of 876	1064	wraphant.exe	wraphant.exe
PID 1064 wrote to memory of 876	1064	wraphant.exe	wraphant.exe
PID 1064 wrote to memory of 876	1064	wraphant.exe	wraphant.exe
PID 1064 wrote to memory of 876	1064	wraphant.exe	wraphant.exe

C:\Users\Admin\AppData\Local\Temp\2db032cc5094301f6d8cec29704880c595a19cbaae211e64e364e3217afa3ebe.exe

"C:\Users\Admin\AppData\Local\Temp\2db032cc5094301f6d8cec29704880c595a19cbaae211e64e364e3217afa3ebe.exe"

Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory

PID:1724

C:\Users\Admin\AppData\Local\Temp\2db032cc5094301f6d8cec29704880c595a19cbaae211e64e364e3217afa3ebe.exe

--ca061b2d

Suspicious behavior: EmotetMutantsSpam
Suspicious behavior: RenamesItself
Suspicious use of SetWindowsHookEx

PID:1888

C:\Windows\SysWOW64\wraphant.exe

"C:\Windows\SysWOW64\wraphant.exe"

Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory

PID:1064

C:\Windows\SysWOW64\wraphant.exe

--6e93b09b

Drops file in System32 directory
Modifies data under HKEY_USERS
Suspicious behavior: EmotetMutantsSpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx

PID:876

Collection

Command and Control

Credential Access

Defense Evasion

Discovery

System Information Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Privilege Escalation

00:00 00:00

memory/876-12-0x0000000000000000-mapping.dmp

Download
memory/876-14-0x00000000004A0000-0x00000000004B7000-memory.dmp

Download
memory/876-15-0x0000000000400000-0x0000000000493000-memory.dmp

Download
memory/1064-11-0x0000000000B30000-0x0000000000B47000-memory.dmp

Download
memory/1724-6-0x0000000000220000-0x0000000000231000-memory.dmp

Download
memory/1724-2-0x00000000761E1000-0x00000000761E3000-memory.dmp

Download
memory/1724-3-0x0000000000260000-0x0000000000277000-memory.dmp

Download
memory/1888-8-0x0000000000400000-0x0000000000493000-memory.dmp

Download
memory/1888-4-0x0000000000000000-mapping.dmp

Download

2db032cc5094301f6d8cec29704880c595a19cbaae211e64e364e3217afa3ebe

Extracted

Filter: none

Description

Tags

Reported IOCs

Description

TTPs

Reported IOCs

Reported IOCs

Reported IOCs

Reported IOCs

Reported IOCs

Reported IOCs

Title